Ricky MondelloiOS 26 (and OSes 26 in general) add an OS-facilitated way to securely migrate your passkeys, passwords, and other data saved in one password manager app to another. The details here are super interesting and are covered in the WWDC25 video “What's new in passkeys” (https://developer.apple.com/videos/play/wwdc2025/279). The rest of this post includes a summary of part of that video and other publicly-available information. (I am not breaking any kind of news here.)
- Data is sent from one app to the other without exporting any kind of file to a filesystem. This means it can’t accidentally be accidentally uploaded to an attacker attempting to compromise one or all of your accounts.
- There’s an OS API that password manager apps call to export their data. Then, securely and out-of-process, users select which app to send the data to. They are reminded of the scope of the data, and authentication with local biometrics or their passcode to confirm sending the data.
- The destination app is not revealed to the source app.
- Remember that crappy unstandardized CSV format for migrating passwords between password managers? It’s going to be a thing of the past, because…
- The data sendable via the API is explicitly based on the “Credential Exchange Format” (https://fidoalliance.org/specifications-credential-exchange-specifications/) standard. This standard is being developed in the FIDO Alliance, the standards body working on passkeys, but the spec covers far more than passwords and passkeys. In fact, it was co-developed by 1Password, Dashlane, and others. There’s a collection of Swift structs in the SDK implementing the standard, with as few modifications as possible.
- The data format part of the API is versioned so it can evolve as the Credential Exchange Format does.
I know it’s taken some time for this to come to fruition, but I hope that delivering a phishing-resistant credential migration process based on open standards (with a credential format standardized for the first time!) makes up for the delay. As I have said since day 1, your passkey data is yours. Passkeys are not a form of “vendor lock-in”.
daniel:// stenberg://
Ken Shirriff
Taggart 
Nanoraptor
Natasha Jay
Anuj Ahooja
Jan Wildeboer 😷
Tattie
𝓼𝓱𝓮𝓮𝓹 🐑🌈